Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 28
  1. #11
    Untangler
    Join Date
    Dec 2009
    Posts
    38

    Default

    Quote Originally Posted by sky-knight View Post
    You realize that halting traffic on ports 1000-65534 will break just about everything too right?
    sky-knight i know it breaks just about everything but right now i dont care i just want utorrent blocked

  2. #12
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,491

    Default

    Ok... then just turn the firewall on default block and don't bother with any pass rules...
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #13
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by sky-knight View Post
    Ok... then just turn the firewall on default block and don't bother with any pass rules...
    I think many companies will start to do this for most user machines.
    only port 80 & 443 outbound. (dns must be resolved internally)

    sure it breaks tons of stuff, but its easier for IT to deal with.
    the problem is of course things that always use port 80 anyway, but I don't think utorrent is one of those although certainly many P2P protocols do.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #14
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,491

    Default

    That's just it Dirk... I was one of the guys that used to setup draconian firewalls like that.

    It added a pile more administrative overhead to the network... and the boxes were taking just as much work to keep online. At the end of the day I had more work, more billable hours... and the client saw no benefit.

    I came to untangle because the Protocol Control module, and other mechanisms that work at layer 7 are a more intelligent way to deal with this issue. The firewall module is an enforcement machine... it's out of date, and it just doesn't work anymore.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #15
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by sky-knight View Post
    It added a pile more administrative overhead to the network... and the boxes were taking just as much work to keep online. At the end of the day I had more work, more billable hours... and the client saw no benefit.
    What kind of issues were you seeing?
    Stuff like "My application XYZ won't connect." so you'd have to open the firewall manually?
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #16
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,491

    Default

    My application XYX won't connect... this web site doesn't work... parts of this web site doesn't work. We can't get our weather/stock reports... gag the list is endless.

    In a world where standard ports are little more than a strong suggestion... you can't reliably use port level controls while maintaining standard levels of usability on a LAN.

    And don't forget that most application's don't have correct documentation for the actual ports used, or the direction of said use. So you end up spending time just figuring out what rules you're supposed to have.

    And the applications you wanted to stop... IM clients, P2P clients, spyware, etc, all used port 80 and 443 anyway so the only way to contain them honestly was to force everyone to a proxy that literally blacklisted "." and whitelisted management approved domains manually...
    Last edited by sky-knight; 12-11-2009 at 04:51 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #17
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default



    thanks for the feedback!

    I'm assuming when people complain that "part of webpages don't work" its because of links to non-80 ports? like "http://foo.com:1234/bar.jpg" and the like?
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #18
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,491

    Default

    Yeah... as I said, common ports are nothing more than a strong suggestion. The primary web site has to run on 80 so people can get to it without a funky URL... but the URLs behind that primary page can be whatever port the admin needs and it's totally transparent.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #19
    Untangler
    Join Date
    Nov 2007
    Location
    Buenos Aires - Argentina - LATAM
    Posts
    52

    Default

    Ok, we are back on the same issue.
    As I am tolding since long time ago, block P2P isn't so easy mission.
    And now the scenario is worst with hundred of direct download sites used as data and content repositories and the new sneaky star, yourfreedom, a openvpn encrypted proxy with applications like P2P, DDL and streaming.

    So if you have your mind open enough you must see www.opendpi.org and see how ipoque (www.ipoque.com) PACE works.
    Then, when you have chance to test an ipoque PRX you will not believe how an ATOM 270 box with just 4GBy RAM can handle 2 links at 200Mb/s plus showing graphic reports of the traffic.

    If you are not so BW hungry, I have a couple of PRX 20 boxes to sell which are good until 10Mb/s fill duplex.

    NOTE: PRX are not firewalls, not routers, not antispam nor AV server. Only traffic managers application based.

    Rgds
    Carlos a.k.a. Crazyram

    Nothing is so easy as we think neither as difficult as manual describes :cheers::cheers::cheers:

  10. #20
    Newbie
    Join Date
    Jan 2010
    Posts
    3

    Default Wishfull Thinking

    Here's what I'd like to see... more dynamic rate limiting.

    What I'd like to see is throttling of bandwidth based on layer 7 content. Anything recognizable, get's a pass. Anything not, get's throttled down or blocked.

    I just installed untangle, and as polished as it is... I'm anoyed at how some of the simple things don't seem to be able to be done.

    Anyone know how to run DHCP for two interfaces - without bridging?

    What about routing controls between two interfaces? I asumme that you can bridge somehow?

    Also, how do I make the Management console available on a DMZ interface... or change a DMZ interface classification to Internal?

    sigh... I love the untangle concept... but there are a few basic things that can't seem to be done, or aren't intuitive. I spent a day rearranging my network and configuring Untangle. If it could some of the things above, I'd buy it at twice the price. Without some of these things, I'll have to rip it out, and call that day I spent on this a part of my life I'll never get back, lol

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2